How I was hacked – a tale of hijack, XBox Live and FIFA trading cards

Why FIFA?

Given the fact that the FIFA Ultimate Team cards can be bought and then traded between accounts, it seems clear that these cards represent a cash making opportunity. Given the price that some of the cards sell for, there is definitely a viable market for them, and where there is a market, someone will be looking to exploit it. The tradable and saleable nature of FIFA cards makes them a perfect item to buy on a hacked Xbox Live account.

I approached Electronic Arts to ask some questions about the issue of hacking, relating to FIFA and Xbox Live. I received the following statement in reply:

“We do our best to educate FIFA players to take measures to keep their accounts safe. Below are a couple of articles that we published at the launch of FIFA 12 on our website and in our forums to help gamers play safe. 

http://www.ea.com/soccer/news/fut12-stay-safe-01

http://forum.ea.com/uk/posts/list/1029839.page

For questions regarding Xbox Live accounts, those should be directed to Microsoft.”

With dedicated pages set up on the EA Forums to deal with this issue, at least the company is admitting that there is a problem. This much is clear from the following entry on the second forum post “The majority of people playing Ultimate Team are honest. Unfortunately, there are a very small percentage of individuals who are cheats, and they are looking to steal your account information.”

Why Xbox Live?

This is the one question that has repeatedly nagged at me throughout this incident. Microsoft and EA both admit that there are dishonest people currently looking to exploit honest gamers’ accounts. But why are all these reports of FIFA related hacking coming from Xbox Live, with no similar tales emerging from the Playstation Network?

While I am no security expert, and I can by no means claim to provide a definitive answer, there is one big difference that strikes me, when looking at the Playstation 3 and Xbox 360 side by side.

It appears to me that it is far too easy to recover someone’s full Xbox Live account, including profile and payment details, to another 360 console. If a hacker manages to get access to a linked Windows Live ID and password, it seems they can recover the account, access the profile information, and use the stored credit card details to make purchases.

On Playstation 3, registering an existing account on a new console is just as simple, also requiring the email address and password of the user. However, if there is a credit card linked to the account, Sony requires you to verify this information, by providing the expiry date and security number on the card. Failure to do so results in the stored card details being wiped before you are allowed access to the account.

It is such a small difference, but maybe it is the one thing currently limiting this wave of hacking to the Xbox Live network. I have contacted Microsoft to ask for comment on this issue, and am awaiting a reply.

Lessons to be learned?

All the advice given by EA and Microsoft relating to the maintenance of safe accounts certainly makes sense. Choosing unusual passwords, swapping them often, and not using the same password across multiple sites is good practice, and may help to prevent hacking. But while it is easy to shrug these incidents off, blaming them on the security practices of affected Xbox Live users, and a number of malicious hackers, could it be that Microsoft needs to look at its own security protocol and ask if it is good enough?